maxkabakov - Fotolia
Microsoft Windows Defender Device Guard offers a variety of capabilities, but IT professionals must enable Device Guard properly.
First, IT pros must ensure that the underlying hardware meets the minimum requirements for Device Guard. This includes a 64-bit processor with virtualization extensions, such as Intel VT-x, AMD-V and extended page tables; Trusted Platform Module 2.0; Unified Extensible Firmware Interface (UEFI) 2.3.1.c or later with Secure Boot enabled; and Hypervisor Enforced Code Integrity compatible Windows drivers.
In addition, IT must handle firmware updates through Windows Update, and the system must support Hardware Security Test Interface standards.
Enabling Windows Defender Device Guard
To enable Windows Defender Exploit Guard and Application Control features, IT can use desktop management tools including Group Policy, Microsoft System Center Configuration Manager, Windows PowerShell and Microsoft Intune.
The Windows Defender Device Guard features are virtualization-based, so IT must enable Hyper-V before they deploy anything from Device Guard. For example, endpoints running Windows 10 Enterprise or Education editions can enable Hyper-V through the Windows Features dialog by typing "Turn Windows features on or off" in the Search dialog on the Taskbar.
After IT enables Hyper-V, it can open the Local Group Policy Editor -- gpedit.msc. Desktop administrators can launch the editor directly by typing "gpedit.msc" in the Run bar, or through Windows Search by typing "gpedit.msc" in the Search bar and selecting the corresponding applet from the results. If the file is not found, IT may need to install the Local Group Policy Editor.
Once the Local Group Policy Editor starts, desktop admins should navigate to the "Computer Configuration\Administrative Templates\System\Device Guard" key and locate the "Turn On Virtualization Based Security" policy entry. IT pros should double-click the entry, enable the desired feature and select options such as Secure Boot and UEFI lock. After configuring the features, IT pros should close the Local Group Policy Editor and restart the computer.
If administrators would prefer to use Windows PowerShell to manage Windows Defender Device Guard features, Microsoft provides a Device Guard and Credential Guard hardware readiness tool which runs a PowerShell script to check hardware and enable Device Guard.
Dig Deeper on Windows 10 security and management
Related Q&A from Stephen J. Bigelow
Eliciting performance requirements from business end users necessitates a clearly defined scope and the right set of questions. Expert Mary Gorman ... Continue Reading
Requirements fall into three categories: business, user and software. See examples of each one, as well as what constitutes functional and ... Continue Reading
Navigating data center malfunctions when hardware is off premises can be tricky. Organizations must have strong SLAs with their colo provider to ... Continue Reading